Skip to main content

Surprise: pairing your Segway hoverboard to an app isn't a great idea

Surprise: pairing your Segway hoverboard to an app isn't a great idea

Share this story


Hoverboards are still a thing, apparently, and they're still terrible. Researchers at IOActive have found that security oversights in the Ninebot by Segway miniPRO hoverboard could allow an attacker to remotely track hoverboard riders, circumvent safety locks, remotely execute code, and even take over the machine.

Thomas Kilbride, embedded devices security consultant at IOActive, tested his Ninebot over eight months and found that exploiting even a single vulnerability could yield full control of the hoverboard. He details his findings in a vulnerability report. The bugs primarily relate to an unsecured Bluetooth connection and the hoverboard's companion app. Since the disclosure, Ninebot has patched the bugs with an app update.

Users have to set a PIN to pair with their hoverboard, although Kilbride found that the PIN never actually changes from the default of "000000." Because of this, he could pair over Bluetooth and track communication between the hoverboard and its app. He could also apply his own firmware update to the device, so an attacker could do the same with modified and potentially malicious firmware. But perhaps most worrisome of Kilbride’s findings is that the companion app tracks riders’ locations through their phones’ GPS, along with other riders in the area, making their locations easily accessible to someone who knows what they’re doing.

While your hoverboard definitely isn't harboring your most sensitive data, it still isn't reassuring to know that some random person could take control of your hoverboard. Although that really is the most 2016 situation that could happen. Now we just need someone to investigate Bluetooth fidget spinner connections.